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Abstract 

After attacking the RSA by injecting fault and corresponding coun- 
termeasures, works appear now about the need for protecting RSA pubhc 
elements against fault attacks. We provide here an extension of a recent 
attack [BCG08] based on the public modulus corruption. The difficulty 
to decompose the "Left-To-Right" exponentiation into partial multipli- 
cations is overcome by modifying the public modulus to a number with 
known factorization. This fault model is justified here by a complete study 
of faulty prime numbers with a fixed size. The good success rate of this 
attack combined with its practicability raises the question of using faults 
for changing algebraic properties of finite field based cryptosystems. 

Keywords: RSA, fault attacks, "Left-To-Right" exponentiation, number 
theory. 

1 Introduction 

Injecting faults during the execution of cryptographic algorithms is a power- 
ful way to recover secret information. Such a principle was first published by 
Bellcore researchers |BDL97[ IBDLOl] against multiple public key cryptosys- 
tems. Indeed, these papers provide successful applications including RSA in 
both standard and CRT modes. This work was completed, and named Differ- 
ential Fault Analysis (DFA), by E. Biham and A. Shamir with applications to 
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secret key cryptosystems |BS97) . The growing popularity of this kind of at- 
tack, in the last decade, was based on the ease for modifying the behavior of 
an execution [BECN+Oi] and the difficulty for elaborating efficient countermea- 
sures IBOS031 |Wag04[ IGirOSbj . 

Many applications against the RSA cryptosystem, based on fault injection, 
have been published. The first ones dealt with the perturbation of the private 
key or temporary values during the computation |BDL97[ lBDJ+981 IBDLOl] , 
The perturbation of public elements was considered as a real threat when J- 
P. Seifert published an attack on the RSA signature check mechanism [SeiOSi 
IMui06| . This paper first mentions the possibility of modifying the public mod- 
ulus such that the faulty one is prime or easy to factor. Then, E. Brier et 
al. extended this work to the full recovery of the private exponent d for various 
RSA implementations [BCMCC06| . Both works are based on the assumption 
that the fault occurs before performing the RSA modular exponentiation. A. 
Berzati et al. first address the issue of modifying the modulus during the expo- 
nentiation |BCG08| . Still this work was limited to an application against "Right- 
To-Left" type exponentiation algorithms. 

In this paper we aim to generalize the previous attack to "Left-To-Right" 
type exponentiations. Under the fault assumption that the modulus can become 
a number with a known factorization, we prove that it is possible to recover the 
whole private exponent. We provide a detailed study of this fault model, based 
on number theory, to show its consistency and its practicability for various kinds 
of perturbation. Finally, we propose an algorithm to recover the whole private 
exponent that is efficient either in terms of fault number or in computational 
time. 

2 Background 
2.1 Notations 

Let N , the public modulus, be the product of two large prime numbers p and 
q. The length of N is denoted by n. Let e be the public exponent, coprime 
to </5(A^) = {p — 1) ■ {q — 1), where if{-) denotes Euler's totient function. The 
public key exponent e is linked to the private exponent d by the equation e • 
d = \ mod ip{N). The private exponent d is used to perform the following 
operations. 

RSA Decryption: Decrypting a ciphertext C boils down to compute m = 
mod N = C^i'=o ^ mod N where di stands for the i-th bit of d. If 
no error occurs during computation, transmission or decryption of C, then 
TO equals m. 

RSA Signature: The signature of a message m is given by 5 = m'* mod N 
where to — fi{m) for some hash and/or deterministic padding function /i. 
The signature S is validated by checking that S'^ = m mod N. 
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2.2 Modular exponentiation algorithms 



Algorithm 1: "Right- To-Left" mod- 
ular exponentiation 

INPUT: m,d,N 
OUTPUT: A = m'^ mod 

1 : A:^l; 

2 : B:=m; 

3 : for i from upto {n — 1) 

4 : if (d, 1) 

5 : A:= (A- B) mod N; 

6 : end if 

7 : B := mod N; 

8 : end for 

9 : return A; 



Binary exponentiation algorithms are often used for computing the RSA 
modular exponentiation m'^ mod N where the exponent d is expressed in a 
binary form as d = J27=o '^^ ' '^i- Their polynomial complexity with respect to 
the input length make them very interesting to perform modular exponentiation. 

The Algorithm 1 describes a way to compute modular exponentiations by 
scanning bits of d from least significant bits (LSB) to most significant bits 
(MSB). That is why it is usually referred to as the "Right-To-Left" modular 
exponentiation algorithm. This is that specific implementation that is attacked 
in [BCG08| by corrupting the pubhc modulus of RSA. 

The dual algorithm that implements the binary modular exponentiation is 
the "Left-To-Right" exponentiation described in Algorithm 2. This algorithm 
scans bits of the exponent from MSB to LSB and is lighter than "Right-To-Left" 
one in terms of memory consumption. 

3 Modification of the modulus and extension at- 
tempt 

3.1 Previous work 

J-P. Seifert first addressed the issue of corrupting RSA public key elements 
|Sei05[ IMui06| . This fault attack aims to make a signature verification mecha- 
nism accept false signatures by modifying the value of the public modulus N . 
No information about the private exponent d is revealed with this fault attack. 
Its efficiency is linked to the attacker's ability to reproduce the fault model cho- 
sen for the modification of the modulus. 

Seifert 's work inspired the authors of |BCMCC06] who first used the public 



Algorithm 2: "Left-To-Right" mod- 
ular exponentiation 

INPUT: m, d, N 
OUTPUT: A = m'^ mod N 

1 : A:^l- 

2 : for i from (n — 1) downto 

3 : A:^ A^ mod N- 

4 : if (d, == 1) 

5 : A -.^ [A - m) mod N; 

6 : end if 

7 : end for 

8 : return A; 
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modulus perturbation to recover the whole private key d. The attacker has to 
perform a perturbation campaign to gather a large enough number of (message, 
faulty signature) pairs. As in Seifert's attack, the fault on the modulus is in- 
duced before executing the exponentiation. Three methods based on the use 
of Chinese Remainder Theorem and the resolution of quite small discrete loga- 
rithms are proposed in |BCMCC06| and |Cla07| to recover the private exponent 
from the set of gathered pairs. 

A new fault attack against "Right- To- Left" exponentiation has been pre- 
sented lately [BCG 08J. This work completes the state-of-the-art by allowing 
the attacker to use other fault models for recovering the private exponent. The 
details of this work are presented below. 

3.2 Public key perturbation during RSA execution: case 
of the "Right-To-Left" algorithm 

3.2.1 Fault model. 

In J.P Seifert and E. Brier et al.'s proposals |Sei051 IBCMCC06j the fault is 
provoked before the exponentiation so that the whole execution is executed 
with the faulty modulus, N. 

The attack presented by A. Berzati et al. [BCGOSj extends the fault model by 
allowing the attacker to inject the fault during the execution of the "Right- 
To-Left" exponentiation. The modification of N is supposed to be a transient 
random byte fault modification. It means that only one byte of is set to 
a random value. The value of the faulty modulus N is not known by the 
attacker. However, the time location of the fault is a parameter known by 
the attacker and used to perform the cryptanalysis. This fault model has been 
chosen for its simplicity and practicability in smart card context [Gir05a[[BO06| . 
Furthermore, it can be easily adapted to 16-bit or 32-bit architectures. 

3.2.2 Faulty computation. 

Let d — X^ILo^ 2' • di be the binary representation of d. The output of a RSA 
signature can be written as: 

S = m^^=o mod N (1) 

We consider that a fault has occurred j steps before the end of the exponen- 
tiation, during the computation of a square. According to the fault model 
described, all subsequent operations are performed with a faulty modulus N. 
We denote hy A = rnX-i=o' ^ ''^^ mod N the internal register value and by B 
the result of the faulty square: 

B = (m^'""'"'' mod n)^ mod N (2) 
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Hence, the faulty signature S can be written as: 

S EE A •^^-<"-.) mod iV (3) 
= [(m^£o'""2'-'^' mod iV) (4) 
.(m^'""^-^' mod iV)5:L-(L„2''-'"-'+^'-<^.] ^.^^ TV 

From the previous expression of S, one can first notice that the fauh injection 
spUts the computation into a correct (computed with N) and a fauhy part 
(computed with N). A part of d is used during the fauhy computation. This is 
exactly the secret exponent part that will be recovered in the following analysis. 

3.2.3 Attack principle. 

From both correct signature S and faulty one S (obtained from the same mes- 
sage m), the attacker can recover the isolated part of the private key = 
- 2' • di. Indeed, he tries to find simultaneously candidate values for the 

faulty modulus N' (according to the random byte fault assumption) and for the 
part of the exponent d'^j^-j that satisfies: 

S = (S ■ mod Nj ■ (rh^ ' mod Nj mod N' (5) 

According to [BCGOSj . the pair {d'^iy N') that satisfies (O is the right one with 
a probability very close to 1. Then, the subsequent secret bits will be found by 
repeating this attack using the knowledge of the already found most significant 
bits of d and a signature faulted earlier in the process. In terms of fault number, 
the whole private key recovery requires an average of {n/l) faulty signatures, 
where / is the average number of bits recovered each time. As a consequence, this 
few number of required faults makes the attack both efficient and practicable. 



3.3 Application to the "Left- To- Right" modular expo- 
nentiation 

In this section, we try to apply the previously explained fault attack to the "Left- 
To-Right" implementation of RSA. Under the same fault model, we wanted to 
know what does prevent an attacker from reproducing the attack against the 
dual implementation. 

We denote by A the internal register value just before the modification of 
the modulus N: 

A = m^S' ^'^'-'^^ mod N (6) 

Hence, knowing that the first perturbed operation is a square, the faulty signa- 
ture S can be written as: 

5* = (j^{A^ ■m'^'-'f ■rh'^'-^y • mod TV (7) 

= A^' -TO^toS'-d. mod TV 
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By observing ([7]), one can notice that the perturbation has two consequences 
on the faulty signature S. First, it spUts the computation into a correct part 
{i.e: the internal register value A) and a faulty one, like for the perturba- 
tion of the "Right- To- Left" exponentiation |BCG08| . The other one is the addi- 
tion of j cascaded squares of the local variable A, computed modulo N. This 
added operation defeats the previous attack on the "Right- To-Left" exponenti- 
ation |BCG08| because of the difficulty to compute square roots in RSA rings. 

Our idea for generalizing the previous attack to "Left-To-Right" exponenti- 
ation is to take advantage of the modulus modification to change the algebraic 
properties of the RSA ring. In other words, if TV is a prime number, then it is 
possible to compute square roots in polynomial time. Moreover, it is actually 
sufficient that N is i?-smooth with B small enough to enable an easy factoriza- 
tion of N, then the Chinese Remainder Theorem enables also to compute square 
roots in polynomial time. We show next anyway that the number of primes N 
is sufficient to provide a realistic fault model. 



4 Fault model 

According to the previous section, the square root problem can be overcome by 
perturbing the modulus such that A^ is prime. In this section we will study 
the consistency and the practicability of such a fault model. Even though this 
model has already been adopted in Seifert's attack [Mui06[ [SeiOSj . we propose 
next further experimental evidences of the practicability of this model. 



4.1 Theoretical estimations 

Let us first estimate the number of primes with a fixed number of bits. From 
|Dus98| Theor em 1.10], we have the following bounds for the number of primes 
TT below a certain integer x: 

nix) > ^fl + J— + J^) ,foTx> 32299. (8) 
ln(x) V ln(a;) In (a;) / 

^(x) < r4-T fl + r^ + ^9?T) > for 2;> 355991. 
^ ^ - ln(x) V ln(a;) \n^{x)J 

Then, for numbers of exactly t bits such that t > 19 bits, the number of primes 
is TTt = 7r(2*) — 7r(2*~^). By using the previous bounds ([8|), the probabihty that 
a t-bit number is prime, prt — ^t-i ' satisfies: 



prt < SLp{t) 



0.480^5 - 1.229*^^ + 0.0265i3 - 7.602<2 + 9.414t - 3.600 
t3(i- l)3 1n3(2) *■ 
OASOt^ - 1.229*4 + 2.157*3 - 11.862*^ + I3.674i - 5.02 



t^{t-l)Hn\2) 
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For instance, if t = 1024 bits: 



/n/(1024) - — 1- and ^(1024) ^ 



709.477 ' 709.474 

Therefore around one 1024-bit number out of 709 is prime; and among the 2048- 
bit numbers, more than one out of 1419 is prime. 

Consider now a set of k randomly selected numbers of exactly t bits and 
let PN be the random variable expressing the expected number of primes in 
this set. This variable follows a binomial law B{k,prt). Then we can give the 
following confidence interval of primes (with a and b integer bounds): 



I— a 



Pr[a <PN<h]^^{ \pri{l~prtf~' (10) 



For example, we construct the following set J\f according to a random byte 
fault model. In other words, if is the bit by bit exclusive OR, thei^^: 

JV^{N(BRa- i?8 = .. 255, i = .. (^ - 1)} 

8 

Then the cardinality of JV is 

77 

\J\f \ = 256 • - = 32 ■ n 
8 

Would the set Af be composed of randomly selected values, then the pro- 
portion of primes in M would follow ([9]). Hence, we can set k = \M\ and 
compute the corresponding average and bounds with an approximation of prt. 
For n = 1024, according to we can estimate pr 1024 and thus the average 
number of faulty primes is 32 • 1024/709.47 w 46.186. Equation combined 
with the estimation of priQ2A shows also that the number of primes in a set is 
comprised between [18, 80] in 99.999% of the cases. For n ~ 2048, the average 
number of primes is 46.176 and comprised between 18 and 80 in 99.999% of the 
cases. Obviously M is not a set of randomly chosen elements; howbeit, empiri- 
cal evidence shows that such sets behave quite like random sets of elements, as 
shown below. 



4.2 Experimental results 

We have computed such sets for randomly selected RSA moduli and counted 
the number of primes in those sets. The repartition seems to follow a binomial 
rule (as expected) and we have the following experimental data to support our 
belief (see Figure [J). 

As shown in Table [T] it was anyway never the case that no prime was found 
in a set M (more than that we always found more than 18 primes in such a 

^For the sake of clarity we assume that a byte fault can take 2* values. In fact, it can take 
only 2* — 1. Indeed, the error can not be null otherwise the value of N is unchanged and the 
fault can not be exploited. 
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(a) Primes at consecutive 8-bit distance of (b) Primes at consecutive 16-bit distance 
some RSA modulus of some RSA modulus 

Figure 1: Experimental distribution of primes among faulty RSA moduli 

set). This experimental lower-bound equals to the one obtained by considering 
a random set. The same observation can be done for the upper-bound. Hence, 
our obtained results confirm our theoretical analysis. 




Table 1: Experimental counts of primes in TV. 



Architecture 


n bits 


w\ 


lA/"! • pr„ 


# of exp. 




# of primes 












Min. 




Avg. 


Max. 


8-bit 


1024 


215 


46.186 


114890 


18 




46.26 


79 


8-bit 


2048 


216 


46.176 


57170 


22 




46.19 


80 


16-bit 


1024 


222 


5911.83 


17725 


5621 




5919.08 


6212 


32-bit 


1024 


237 


w 1,94- 10^ 













The presented results can be extended to other fault models. The Table [T] 
presents also theoretical expected results when 16-bit or 32-bit architectures are 
targeted. For t = 1024 with 16-bit architecture the average number of primes 
is 5911.83 and is between [5520, 6320] in 99.999% of the cases. 

4.3 Consequences 

This study strengthen J-P. Seifert's assumption [Sei05[ IMui06| of considering 
only prime modification of the modulus. We have showed that our fault model 
can be considered as a random modification of the public modulus. Then, an 
average of 709 faults on N will be required to obtain a prime N in the case of 
a 1024-bit RSA. 

4.3.1 Additional remark. 

By carefully studying the experimental results, one can notice that, for a given 
modulus N, the byte location of the fault influences the number of prime found 
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in the subset. Thus, if the attacker has the abihty of setting the byte location of 
the fault, he can increase his chances to get a prime faulty modulus and there- 
fore, dramatically reduce the number of faulty signatures required to perform 
the attack. 

4.4 The Algorithm of ToneUi and Shanks 

The algorithm of ToneUi and Shanks [Coh93| is a probabilistic and quite effi- 
cient algorithm used to compute square roots modulo P, where P is a prime 
number. The principle of the algorithm is based on the isomorphism between 
the multiplicative group (Z/PZ)* and the additive group Z/ (P — 1) Z. Suppose 
P — 1 is written as: 

P - 1 = 2'= • r, with r odd. (11) 

Then, the cyclic group G of order 2*^ is a subgroup of Z/ (P — 1) Z. Let z be a 
generator of G, if a is a quadratic residue modulo N , then: 

^(p-i)/2 ^ [a^' f' = 1 mod P (12) 

Noticing that a"" mod P is a square in G, then it exists an integer fc £ |0 : 2^^ — 1] 
such that 

a" -z^ ^\ in G (13) 
And so, a^^^ ■ z^ = a in G. Hence, the square root of a, is given by 

^1/2 ^ ^(.+ l)/2 . ^fc/2 ^^^^^ p ^^4^ 

Both main operations of this algorithm are: 

• Finding the generator z of the subgroup G, 

• Computing the exponent k. 

The whole complexity of this algorithm is that of finding fc, O (in^ P) binary 
operations or O (InP) exponentiations. The details of the above algorithm are 
described in |Coh93| . In practice, on a Pentium IV 3.2GHz, the GIVARCd 
implementation of this algorithm takes on average 7/1000 of a second to find a 
square root for a 1024-bit prime modulus. 

4.5 Smooth modulus 

As in [Mui06| . what we really need for the faulty modulus is only to be easily 
factorable. Indeed, one can compute square roots modulo non prime modulus 
as long as the factorization is known. The idea is first to find square roots 
modulo each prime factors of N . Then to lift them independently to get square 
roots modulo each prime power. And finally to combine them using the Chinese 

■^GIVARO is an open source CH — h library over the GNU Multi-Precision Library. It is 
available on http://packages.deblaii.org/fr/sid/libgivaro-dev 
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Remainder Theorem (see e.g. [ShoOSl §13.3.3] for more details). The number 
of square roots increases but since they are computed on comparatively smaller 
primes, the overall complexity thus remains O (in^ binary operations. In 
the following we thus consider only prime faulty moduli. 

5 Cryptanalysis 

The purpose of our fault attack against the "Left- To- Right" exponentiation is 
similar to the attack against the "Right- To-Left" one |BCG08| . The modulus A'' 
is transiently modified to a prime value during a squaring, jk steps before the 
end of the exponentiation. Then, from a correct /faulty signature pair {S,Sk), 
the attack aims to recover the part of private exponent — J^i'Lo^ 2' • di 
isolated by the fault. By referring to |BCG08| . the following analysis can be 
easily adapted for faults that first occurs during a multiplication. 

5.1 Dictionary of prime modulus. 

The first step consists in computing a dictionary of prime faulty modulus can- 
didates {Ni). The attacker tests all possible values obtained by modifying N 
according to a chosen fault model. Then, candidate values for N are tested using 
the probabilistic Miller-Rabin algorithm [RabSOj . According to our study (see 
Sect. 14. 1[) . for a random byte fault assumption, the faulty modulus dictionary 
will contain 46 entries in average either for a 1024-bit or a 2048-bit RSA. The 
size of the dictionary depends on the fault model (see Table [T]). 

5.2 Computation of square roots. 

For each entry Ni of the modulus dictionary, the attacker chooses a candidate 
value for the searched part of the private exponent d'^^-j . Now he can comput^l: 

R(^d[^^^N^) = Sk ■ m-'^'^") mod N, (15) 

For the right pair (d^j,-) , A^), R(^j^ ^ ^-j is expected to be a multiple quadratic 
residue (i.e.- a jfc-th quadratic residue, see Sect. 13. 3p . As a result, if ^(^j/ 

is not a quadratic residue, the attacker can directly deduce that the candidate 
pair {d'^^f^yNi) is a wrong one. The quadratic residuosity test can be done in 
our case because all precomputed candidate values for the faulty modulus are 
prime numbers. The test is based on Fermat's theorem: 

^H^K,.,'^')) ^ImodiV,: (16) 

•^This computation is possible only when d'^ is invertible in 'L/'LNi; in our case all the 
considered Ni arc primes and Euclid's algorithm always computes the inverse. 



10 



then ^ -jis a quadratic residue modulo Ni 

If the test is satisfied then the attacker can use the Tonelh and Shanks algorithm 
(see Sect. 14. 4p to compute the square roots of R^^, y Therefore, to compute 

the jfe-th square root of i?^^^/ ^.-j, this step is expected to be repeated jfc-times. 

But, when one of the jk quadratic residuosity test fails, the current candidate 
pair is directly {d'^j^yNi) rejected and the square root computation is aborted. 
The attacker has to choose another candidate pair. 

5.3 Final modular check. 

The purpose of the two first steps is to cancel the effects on the faulty signature 
due to the perturbation. Now, from the jk-th square root of R,^, jy ) the 
attacker will simulate an error-free end of execution by computing: 

5" = modiV,^ • to'^'c') mod iV (17) 

Finally, he checks if the following equation is satisfied: 

S' = S mod N (18) 

As in the "Right- To- Left" attack [BCGOSj . when this latter condition is satisfied, 
it means that the candidate pair is very probably the searched one (see Sect. 
16. 3p . Moreover, the knowledge of the already found least significant bits of d is 
used to reproduce the attack on the subsequent secret bits. As a consequence, 
the attacker has to collect a set of faulty signatures Sk by injecting the fault 
at different steps jk before the end of the exponentiation. Moreover, multiple 
faulty signature Skj have to be gathered for a given step jk to take into account 
the probability for having a faulty signature Sk computed under a prime A^^, 
that is to say exploitable by the cryptanalysis. This set {Skj, jk)k,f is sorted 
in descending fault location. If faults are injected regularly, each sorted pair is 
used to recover a /-bit part of the exponent such that for the fc-th pair {Skj ,jk), 
the recovered part of d is d^^k) = SiLo^^* • di — J2'i=o^'^^ ' ^i- These results can 
be applied for faults that are not injected regularly (i.e: jk — jk-i = ^fe < Imax)- 
The attack algorithm is given in more details next. 

6 Performance 
6.1 Fault number 

Our fault model is based on the modification of the modulus A^ such that its 
corresponding faulty value is prime. In Section 14.11 we have shown that the 
probability for a t-bit number to be prime, prt, can be bounded. Now, let 
the number of fault to make A^ prime be the random variable Ft . This random 
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Algorithm 3: DFA agaiiisl "Lcfl-To-Rifjhl" modular (\x.i)oiioiitiali()ii 
INPUT: N, rh, the correct signature S, the size of the dictionary Diength, 

the set of pairs [Stj- , jk)o<k<n/l, i<f<n{Fn) 
OUTPUT: the private exponent d 

//Computation of the dictionary of prime faulty modulus candidates 
Diet = Build-Prime_Dict{N , Diength)', 
//Initialization 
d := 0; 

//All the faulty signatures are tested 
for k from upto [n/l\ 
for / from 1 upto jj, 

for from upto 2' — 1 

d' := rf(fe) • 2^''' + d; 
for i from 1 upto Diength 
R := Skj ■ rh~''' mod Dict[i]; 

//The function com,putes jk square roots and returns when a test fails 
R := Test -And -Tonelli{R, jk, Dict[i]); 
//If a test fails, then we have to test another candidate pair 
if {R == 0) 

break; 
else 

S' := R^"° ■ fn'^' mod N 
//Final check 
if (5' == S mod N) 

//The attack continues for the subsequent l-hit part of d 
d := d'; 
goto lineJo; 
end if; 
end if; 
end for; 
end for; 
end for; 
end for; 
return d: 
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variable follows a geometric probability law. Hence the average number of faults 
to make TV prime is: 

For large values of t {i.e: at least 1024 or 2048-bit RSA), we can use the pinching 
(or sandwich) theorem to approximate this value asymptotically : 

i-ln^(2) t , , 

^^^^^ - ^^1441 

From a given faulty signature, the attacker can recover a Z-bit part of d. There 
are at most njl such parts for an RSA of size n. This shows that the average 
number of faults required for a whole private key satisfies: 

Number of faults = O ( — tries (21) 

V 1.441 ^ ^ 

This number can be dramatically reduced if the attacker has the ability to chose 
the byte location of the fault (see Sect. 14. 1[) or if the fault model is larger {i.e: 
smooth modulus, different architectures targeted . . . ). 

6.2 Computational complexity 

We now give the overall complexity of the attck. The size of the dictionary, 
Diengthi IS let as an attack parameter since the attacker can fix a limit if the 
chosen fault model requires more resources than he can get. According to our 
previous analysis (see Sect. 14. ip . D length — 46 for a random byte fault assump- 
tion. 

Theorem 1. Algorithm 3 is correct and its average complexity for a random 
byte fault perturbation of the modulus satisfies: 

Cattack = ^ ( ) '^^PO''^'^''^^^"'^''''^'"'^ 

Proof. Correctness as been shown in section [5l Now for the complexity, the 
attacker has to test all possible candidate pairs (d'^^-j, Ni). The number of pairs 
depends on the size of the dictionary of prime modulus denoted by Diength and 
the window recovery length /: 

ength 

(22) 

For each pair the attacker first computes R, ^ (see (ITS]) ') by executing 

a modular exponentiation of the message and a multiplication. 
Then, he performs a series of at most jk quadratic residuosity tests and, for each 
success, a square root is computed. By noticing that the probability to fail in 
the test follows a geometric probability law, the average number of performed 
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testfl is ppj'-pgg^; fa^^g] As a consequence, the average complexity of this 

step is: 

Cs quare roots 

(fc) = 0{2-CTest+CT onelli & Shanks 

) (23) 

= O {jk ■ n) exponentiations 

The last step of the attack is the final check (see (fT7|)). It requires to compute 
jk modular squares and a modular exponentiation of the message followed by a 
multiplication. The latter computation is also bounded by 0{jk ■ n) exponenti- 
ations. 

Now in the case of a fixed size dictionary the average number of primes of this 
dictionary for a byte modification of the modulus is N faults per blocs ^ ^ "^^ 



Then, the attack has to test all of the gathered faulty signatures in order 
to recover the whole exponent. Hence, as jk is bounded by fc • /, the overall 
computational complexity is bounded by: 

n/l 

C'attack — ^ ^ ^faults per blocs ' ^ Square roots ^length 

(24) 

fc=0 

(2^+^ -n^ -{n + iy 



O 



\ 16-1 



□ 



The presented attack is thus longer than the "Right-To-Left" one |BCG08j . 
the principal reason being the extra number of faulty pairs to analyze in order 
to get a prime modulus. 

6.3 False-acceptance probability 

As defined in |BCG08| . the false-acceptance probability is the probability for 
a wrong pair (d'^f^yNi) to satisfy (fT8|) . In our case, the computation of the 
final check is done in Z/NZ and requires extra squares. As a consequence the 
false-acceptance probability given in 'BCG08] has to be adapted by replacing 
the search space for N by the dictionary length Diength- 

n ^ r> rrn /ll ^ ■ f ''^^ ' ^length 2^ ■Diength\ 

Moreover, because of the quadratic residuosity tests (see Sect. I5.2p . false candi- 
dates can be rejected before computing the final check. Hence, the final check 



*The test fails when tested value is not a quadratic residue. But all the Ni are prime. Let 
be Zi a generator in 'L/Ni'L, all the elements of the group can be expressed as a power of Zi. 
Hence one element out of 2 is a power of zi^ and a quadratic residue. 
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will not always be done. The probability that a wrong pair pass all the jk tests 
is given by: 

Pr ^R(^j^i TV ^ jfe-times quadratic residue (26) 

J'^-i r . . 1/2- 



i=0 

1 

2Jfc 



TV ) ) is a quadratic residue 



This probability indicates that, for recovering the k-th part of d, only one out 
of 2^*^ wrong pairs will pass all the quadratic residuosity tests. Eventually, the 
false-acceptance probability can be upper-bounded: 

Fri^.AJ < m^n ^^^^ , n.{2^-D,,„,,, - 1)' N ) ^'^> 

This expression first shows that because of the last term '■<^sth ^ ^j^^ false- 
acceptance probability is highly negligible for commonly used RSA length. Fur- 
thermore, one can advantageously notice that the final check can be avoided 
when the number of consecutive quadratic residuosity tests to pass is large 
enough (i.e: 2^'' > Diength ■ 2')- 



7 Conclusion 

In this paper, we generalize the fault attack presented in |BCG08| to "Left-To- 
Right" implementation of RSA by assuming that the faulty modulus can be 
prime. Although this model has been already used JSei05], this paper provides 
a detailed theoretical analysis in fault attack context. Furthermore this analysis 
proves that such a fault model is not only practicable but extendible to differ- 
ent architectures. This emphases the need for protecting RSA public elements 
during the execution. 

More generally the use of a faulty prime modulus to compute square roots 
in polynomial time raises the question of using faults for changing algebraic 
properties of the underlying finite domain. This paper provides an element of 
answer that may be completed by future fault exploitations. 
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